geeks, computers, and bread

The more I get to play with hardware, the more I get to see how security is lacking or implemented poorly (and I’m being very polite here). This time, I would like to share my 315mhz/434mhz RF Sniffer project, which can be used to open poorly protected gates, cars, etc. Nothing new under the sun, only my own take on building such a device.

TIP – The size of the antenna is VERY important. Don’t neglect it – use the right length and use a wave calculator for future reference.

The story

I wanted to see how easy it is to open a keyless car using an Arduino. And then I wanted to simultaneously control multiple appliances operating on different frequencies (315Mhz/434Mhz).

Using the following design, you can easily make a fuzzer to randomly open/close/control all kind of RF receivers out-there. You have been warned.

Current version of the sniffer will resend whatever it sniffs 10 times. Behavior is easily changeable.

I am using the RCSwitch library to reduce heavy thinking on my part. Mission accomplished.

The hw scheme I provided is 100% same as the one I used in my testings. The sw part is a stripped-down code of my full project, but is enough to get one started.

With a few modifications to the code, one can simply record the sniffed data instead of immediately resending it. Also, for useful results, when resending, a delay() should be considered for obvious reasons😉

Most vulnerable targets I found are remote-controlled gates and old cars. Also weather stations seems to produce a lot of noise.

Using same logic, one can add 816Mhz tx/rx to cover most widely used RF out there. and rule them all🙂

simple circuit, simple code – but not flying! receiver not seeing anything? i see chatter on other sites about a 1M resistor between data line and ground and a 330 Mfd cap and production changes on RX board pushing less power thru data line. no joy! any clues???

Ziggy, Really like your project. I have the library, replicated the circuit and code – and quadrupled checked everything – but the receivers are never ‘available’. I have three 315 MHz devices to ‘sniff’ but with/without antennas, placing devices near/far from the antenna and even ordering/installing new RX / TX boards – has no impact on the results. Commenting out the .available test just yields the same data stream regardless of the device I test and, in fact , powering off the circuit has no impact on the data stream. Used SparkFun supplier.
Please, any hints for me?

I totally understand your frustration since it took me a while and some trial & error to get all to work as smoothly (eg, I too have looked into connecting a resistor to the data line…).

I think you should first make sure your hw is 100% supported with this library; maybe you need to use a different lib/code to match your receiver – play with the code until you start getting some RAW (hex) data, then adjust it to your purpose.

I have to reach our house by a shared drive with an electronic gate. The owner will not give the remote to copy. Is there any way I can buy a sniffer so that I can copy the opening code?
I know nothing about electronics

Thank you for that but it looks as though I have to get hold of my neighbours remote to work it. What I need is something I can leave in my garden so that when he uses his remote it will pick up the signal. Then I should be able to duplicate it with this sort of device you suggest

What your neighbor has done is illegal. You have the right to access your property and he cannot unreasonably deny you access. If his property is considered the dominant property, he has the right to put up a gate, but he must give you unrestricted access to it. This includes a key. It is illegal for him to tell you to wait for him to open the gate for you, as you may need access when he is not home.

Thank you
To a non-electrician it looks very complex to make a sniffer and I am trying to find someone in the UK to make the device. How close does it need to be to the gate to pick up the signal – or maybe it needs to be close to the remote being used?

I want to know does this sketch work with any modulation and encoding out of the box? For example does it simply sniff and transmit raw data? Kind of like hackrf_transfer using a raw iq/wav file to do a replay attack? Or does the library define some sort of encoding like ask ook

Hi thanks for your tutorial !! just wondering if you could help me out ive got a arduino uno and a 433mhz receiver and transmitter im having trouble i can pick up signals from some remotes but not others ? but they are all 433mhz remotes and i see in alot of the tutorials people are using the 8 pin 433mhz receiver mines only the 4pin which from what i can tell is the cheap version by what it cost😄 and i see alot more people using the other ones could this be why im only picking up certain 433mhz signals from some remotes and not others ? sorry if its a dumb question ! still new to this

good question, but i have to admit i never played with 8-pin receivers. maybe it’s encoding issue, distance, antenna – i would play with any of those vectors to test for any changes. Try to obtain an SDR (HackRF or alike) to watch your signals and debug it further😉

I am going to try and find someone to make the sniffer for me but before I do can I clarify one thing.
If I locate the device near the gate and activate it when he exits will it record the signal for me?
If it does that is ideal if I can then transmit the signal to one of the RF duplicators that you advise I assume?

there is no start/stop to the code provided – only endless sniffing & replaying routine, as a basic template example.
regarding RCSwitch, consult your IDE docs how to install Arduino libraries (usually its extracting the zip in ~/Arduino/libraries/ folder).

Hello z4ziggy, is there any chance to write in private?
I connected all wires, but nothing is working. The LED is flashing for about 5 times the first time I connect the arduino to the PC. Then it stops. The serial monitor is showing nothing except + Listening.
When connecting the LED to the breadboard -> the orange LED on the arduino illuminates with half of its power.
I would appreciate your help. Thanks

I doubt I can help much – you’ll have todo the debugging yourself.
I suggest you start with connecting only 1 transmitter and getting it work 1st – it might take some playing with the code and the pins to get the correct layout, so don’t be discouraged – enjoy the path😉

Here is just one question. Can this device open any RF receiver with out having any contact with, lets say the remote for the garage? Can I just walk up to any random garage and with this project just open it? Please correct me if my point of view on this project is totally of the subject and if you don’t mind is their not a link or any information on what exactly does this RF sniffer do. I posted a link on yahoo asking the same question and no one is getting back to me. But if it is too much inconvenience, I understand.

The project I’m describing here is a sniffer – eg, it will sniff an existing signal, and will let you replay it at your will. it will not fuzz or try different combos to open unknown garage doors. You can find in the comments above links to other ready-made products (sold on ebay/aliexpress) which wont require much technical know-how like this one.

I am truly sorry for all the questions but I would like to ask you is their such a device that can work on remotes that have the cycling frequencies on them? Another thing I would like to know, is their such a device like you mentioned before that can fuzz or try different combos to open unknown garage doors?

I really try to find this information on google but its that easy for me and like I said before if its too much inconvenience, I understand.

hi z4ziggy I hope you don’t mind me bothering you with all the questions but I have done some more research on RF sniffers and I have found Sammy kamkars invention to be quite interesting, I am sure you have heard of him. He’s device (rolljam) can bypass rolling codes witch is the device I asked you about previously. I just wanted to know if the HackRF one device can do everything your RF sniffer can do?

hi z4ziggy, please can you answer this question for me I tried asking others but I don’t succeed. I am sure you heard of Andrew Nohawk and I want to learn how to hack rolling codes and he shows you how on his website. I want to learn while having everything I need in my possession, I would find it much easier that way going through it step by step. As I read through it I find it quite difficult finding out everything I need. Could you be kind enough and tell me everything I need to go about doing this. ps I don’t know wether I should get a yardstick one or rfcat or even both so if you could help me with this I would be so grateful.

He uses YardStickOne to jam the car reader while reading the remote transmission at the same time. he then stops the jam & resend the captured transmission to the car. I suggest you contact Andrew Nohawk for further details. good luck.

He actually uses TWO YardStickOne since it’s half-duplex device (eg, can only send OR receive at the same time). You can use BladeRF or other full-duplex SDR device which supports this frequency range. good luck.

Hello z4ziggy, I am doing research at my school and am interested in possibly using your design to demonstrate this device to our local police department and write a report on the increasing problem of these type of devices. Is everything you listed as well as the code and diagram enough to get one to work? What is the difference between the code you have here and your full one? I also wanted to get your approval on the use of your design for this purpose.

Feel free to use this as you like. My private code was a bit more malicious – it saved the sniffed data and allowed me to resend it whenever I wanted (by pressing a button), but this should be enough for a demo and you can always enhance it yourself. good luck.

hi z4ziggy I am going to buy two yardstick ones, I am going to learn how to hack rolling codes using Andrew nohawks method and I just wanted to make sure is that all I need for example, no rtl sdr and any other devices. I just want to know everything I need so I can buy it all at once and I managed to save some cash in order to buy these things and I am still in school so its difficult for me to make money but I managed and I just don’t want to buy the wrong stuff.

there is another thing I wanted to know, before you mentioned that I can use a duplex sdr device witch supports this frequency range. Should I be concerned about the frequency range if I were to buy the two yardsticks ones. I don’t know if this matters but I am situated in south Africa

In theory, with this clone code the code that transmits a car command. But if you are trying to play maliciously, how can you modify so that the owner’s command does not open the car and has to press again and you with the previous code you can use? Thanks.